Practical Applications of Software Security Model Chris Nagel

Transcription

1 Practical Applications of Software Security Model Chris Nagel Software Security Consultant Fortify Software

2 Introductions About Me: Chris Nagel Software Security Consultant With Fortify for 2+ Years Before Fortify - Senior Software engineer for USAF(12 years) Air Force Wargaming Institute Developing Wargames Developed.NET web and windows apps in C# Extensive experience in all areas of the SDLC Last 2 years with USAF Application Software Assurance Center of Excellence (ASACoE) Education MS and BS in CS 2

3 Agenda History The ASACoE Process Challenges Lessons Learned Q&A

4 In the Beginning 4

5 History August 2005 USAF Human Resource System Breached 33,000 Personnel Records Stolen Attack vector was software related Impact was felt throughout the USAF

6 Response Software Security Pilot Program Lead by Maj. Bruce Jenkins Critical vulnerabilities were found in all pilot applications Decision was made to organize a group dedicated to software security Fall 2006 Application Software Assurance Center of Excellence

7 Response Vehicle Contract competition to find best automated security software Focus on 3 areas: Static Analysis (Source Code Analysis) Dynamic Analysis (Penetration Testing) Data Tier Analysis (Database STIG Checking) The Winners Fortify Software (SCA and 360 Server) IBM Rational Appscan AppSecInc AppDetective Services Prime Contractor Telos Subcontractors Fortify and Cigital

8 Mastering SSA: ASACoE Program Management Offices Visited: 96 Applications Assessed: 600+ Total Lines of Code Assessed: 93,921,058 Ramstein AB Germany

9 ASACoE Benefits Significant Risk Mitigation throughout the SDLC Cost and Time Savings for PMOs Certification & Accreditation Processing Time Reduced Real Time Protection for Fielded Operational Systems

10 60.00 Critical/High Vulnerabilities Per 1,000 Lines of Code Initial Follow-On % % 9% 60% 75% 69% 0.00 App1 App2 App3 App4 App5 App6

11 The ASACoE Process 11

12 The ASACoE Process Support Enable Train 5 Day On-Site Triage Assessment Triage Assessment Report; Augment Remediation Efforts; Follow-up Scans 3 Day Training Session

13 The ASACoE Process - Train 3 Day Training Session 1 Day Defensive Programming Need for Software Assurance Case Studies Vulnerability Examples ½ Day AppDetective Training 1 Day Fortify SCA Training ½ Day Fortify RTA/PTA/360 Server Mixed audience: Managers, IA, Developers Hosted at Gunter AFB or other AFBs 13

14 The ASACoE Process On-Site Scan codebase with the goal of integrating into the build process Help optimize scans to your codebase Mentor developers on secure coding practices Defensive programming techniques Triage scan results with developers Triage your FPR s as well as AppDetective and AppScan results. Time is limited so a full triage of the FPR s will be delivered with the final report The tools will be left behind and a security assessment report will be delivered to the PMO. This will enable you to perform regular scans on your own 14

15 The ASACoE Process On-Site ASACoE Assessment Team (4 person team) At least 1 Organic and the rest Contractors Contractors serve as Subject Matter Experts Organics serve as Team Chiefs All team members trained to use software suite Product specialization depending on background Periodic rotation of duties 15

16 The ASACoE Process On-Site 16

17 The ASACoE Process - Support -1 st Tier Support - Link to Vendors Support Remediation - 3 rd Party Resources - Verification -New Training - New Assessment Re- Assess Follow Up Scans - Further Analysis - Custom Rules 17

18 Challenges 18

19 Challenges Challenge #1: NO MANDATE No clear vision for software assurance Currently working with proactive groups Large focus on new business Can put a damper on remediation Could be making a bigger splash 19

20 Challenges Challenge #2: Moderate Adoption Many re-assessments reveal moderate adoption of software assurance Focus on scanning leaves little time for process development and automation Need alternate training methods 20

21 Challenges Challenge #3: Awareness and Education Complex problem with complex solution All leadership levels need to be made aware of the risks associated with software vulnerabilities Getting the word out SAF/A6 and AFSPC Provide policy recommendations and best practices AF Institute of Technology, AF Academy, and Cyber Technical Schools Aided US Navy, Army & Canadian Army Stand Up Similar Centers 21

22 Software Assurance Process Lessons Learned 22

23 Software Assurance Process Lessons Lesson #1: Clear Communication Regarding Security Before assessment, try to define policies and expectations Ensure that policies and expectations are communicated to all stake holders Consistently enforce policies and expectations 23

24 Software Assurance Process Lessons Lesson #2: Don t Bite Off More Than You Can Chew Large amounts of issues are typically found during software assurance assessment Don t Panic Assess risk of vulnerabilities and prioritize what gets fixed first Still worried? Try Fortify RTA! 24

25 Software Assurance Process Lessons Lesson #3: Automate the Process If you don t have continuous builds, it s worth looking at Integrate Fortify SCA into your build process Automate FPR uploads to Fortify 360 Server Use alerts to notify stake holders 25

26 Training Lessons Learned 26

27 Training Lessons Lesson #1: The ASACoE Training is good for everyone The content is mainly tailored for developers, but it s good for Managers, IA, Builders, etc. Get refresh training from ASACoE Incorporate ASACoE training slides into new hire training 27

28 Training Lessons Lesson #2: The ASACoE Training Is Not Enough Designed to scratch the surface Software Security is very complex and requires continual education Develop required training program for developers Because Software Security is relatively new, getting training information can be difficult Many software security blogs Books Instructor lead training and conferences Software Security certifications are emerging Certified Software Security Lifecycle Professional (CSSLP) SANS Institute 28

29 Training Lessons Lesson #3: Not Everyone Learns the Same Not everyone can learn effectively from instructor lead classes CBTs can be effective and are available from Fortify Some developers prefer self study 29

30 Technology Lessons Learned 30

31 Technology Lessons Lesson #1: Explore Fortify Custom Rules The default Fortify rule packs cover most APIs, but not everything Custom rules are used to educate SCA on custom APIs or 3 rd party APIs not covered Can also enforce policies in code Very detailed topic Fortify can provide training 31

32 Technology Lessons Lesson #2: Integrate with Bug Tracking If you re using a bug tracking system, and you should be, integrate with Fortify 360 We support Bugzilla out of the box Can also support: Microsoft Team Foundation Server JIRA HP Quality Center Exposed API for other systems 32

33 Technology Lessons Lesson #3: Explore Custom Reports Reporting system is based on BIRT, and open source report engine Fortify Report templates available in Fortify 360 Server The ASACoE/Fortify can help with custom reports 33

34 Closing Remarks The ASACoE process was designed to assess the largest amount of applications possible not the best fit for everyone If you like the ASACoE approach, they will help with implementing their model When considering establishing a Center of Excellence, first consult industry standards (SAMM, BSIMM) 34

35 Questions?